SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #27

April 06, 2010

SANSFIRE has just opened for registrations. This is the largest cyber conference in the US Capital region, and features the stars of the Internet Storm Center sharing the new attack data they are seeing. Register for a course at SANSFIRE and attend the Storm Center briefings at no cost. https://www.sans.org/sansfire-2010/

---

TOP OF THE NEWS

Boeing, U.S. Government Step Up Recruitment for 'Cyberwarriors'
Domain Name Registrars Distancing Themselves From China
UK's Digital Economy Bill Assigns Users Burden of Protecting Wireless Networks

THE REST OF THE WEEK'S NEWS

Companies Should Reevaluate Security Resource Allocations
Mozilla Updates Firefox Again
Attempted Cyber Intrusion at Texas Electricity Provider
Cyberwar Rhetoric Starting to Chafe
DOE Seeking Applicants for National Electric Sector Cyber Security Organization Grant
DHS to Issue Conficker Report
Oracle Releases Update for Java
Australian Plan to Filter Internet Meets With Criticism

---

**************** Sponsored By Trusted Computer Solutions ****************
OS hardening is risky business when relying on manual scripts to secure your enterprise. Security Blanket automates this error prone process for consistent hardening to guidelines such as DISA STIGs and SANS CAG Top 20 Critical Controls. Saving time and complying with policy is what Security Blanket is all about. Try it for FREE today!
http://www.sans.org/info/57578
*************************************************************************

TRAINING UPDATE
-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/

-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, August 2-8, 2010 11 courses
http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Geneva, Toronto, Amsterdam and Canberra all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/index.php
*************************************************************************

---

TOP OF THE NEWS

Boeing, U.S. Government Step Up Recruitment for 'Cyberwarriors' (April 6, 2010)

Cal Poly Pomona was the site of a regional cyber security competition for the National Collegiate Cyber Competition and will be the site of the California Cyber Camp this summer as part of the 2010 US Cyber Challenge. Boeing was on hand to hire the best - because it, like every contractor in the information security space, needs technical talent to replace the people with soft skills that have been the norm in federal cyber security.
-http://www.bloomberg.com/apps/news?pid=20601100&sid=abmfWsuQyyk0
[Editor's Note (Paller): High school and college kids who know their way around computers can win scholarships and internships and places in the cyber camps. See www.uscyberchallenge.org ]

Domain Name Registrars Distancing Themselves From China (April 2 & 5, 2010)

In recent weeks, three domain name registrars have announced that they are pulling out of China. Go Daddy and Network Solutions made their decisions to withdraw from China last month, and last week, Australia's Net Registry announced that it will not accept new accounts in China, although it will continue to host current .cn sites. In a separate story, the Foreign Correspondents' Club of China has issued a statement that its website has been taken down after it came under attack. While the organization does not know who is responsible for the denial-of-service attacks, the attacks have been linked to computers in the US and China. The event follows the suspected breach of journalists' Yahoo email accounts.
-http://ibtimes.com.au/articles/20100402/foreign-journalists-site-china-attacked.
htm
-http://voices.washingtonpost.com/posttech/2010/04/another_incident_another_compa
.html
-http://news.cnet.com/8301-30684_3-20001095-265.html
-http://www.washingtonpost.com/wp-dyn/content/article/2010/03/29/AR2010032903511.
html
[Editor's Note (Northcutt): This could be huge. Will China run the Internet in the future? Probably. If you are 25 years old or younger, this might be a wise time to take a class in Mandarin Chinese. We can hold the line for while, but not forever. ]

UK's Digital Economy Bill Assigns Users Burden of Protecting Wireless Networks (April 3, 2010)

The Digital Economy Bill, which is expected to pass Parliament this week, specifies wi-fi security required of UK Internet users. Many users would have to spend as much as GBP 70 (US $107) for routers to protect their wi-fi connections or face fines or disconnection if attackers use their unprotected connections for illegal filesharing activity. Users who have older laptops may have to purchase new GBP 20 (US $30) wi-fi cards to protect their computers from intrusions. The bill has also been called a potential "death-knell" for public access wi-fi because coffee shops and other businesses offering free wireless Internet can also be held liable for illegal filesharing activity conducted over their networks.
-http://business.timesonline.co.uk/tol/business/industry_sectors/technology/artic
le7086250.ece
[Editor's Note (Pescatore): There's silliness on both sides of this. The odds that a household will be attacked via open WiFi is orders of magnitude lower than their likelihood of malware coming over the wired Internet and compromising their home network. So, the risk is being overhyped, but the cost of making home WiFi secure is being way over-hyped as well. The bigger issue is the language trying to make ISPs responsible for blocking sites that are allowing "substantial" infringement of copyrights, designs and patents - this is a real briar patch. ]

---

*************************** Sponsored Links ***************************
1) Implement least-privilege security management in complex Linux and UNIX environments leveraging existing infrastructure. On-demand webinar.
http://www.sans.org/info/57583

2) Get real-world forensic techniques from industry-recognized experts at the 2010 European Community Digital Forensics & Incident Response Summit April 19-20 in London.
http://www.sans.org/info/57588
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Companies Should Reevaluate Security Resource Allocations (April 5, 2010)

According to a study from Forrester Research conducted on behalf of RSA and Microsoft, companies may not be taking adequate precautions to protect intellectual property and proprietary information. Compliance initiatives like the payment card industry data security standard (PCI-DSS) and data protection laws in Europe, New Zealand, and Australia require companies to take steps to protect custodial data. The companies acknowledge that their data security budgets are directed more at compliance with regulations and laws surrounding consumer data rather than at protecting company intellectual property assets. Forrester, Microsoft and RDA make several recommendations for companies to get their data security strategies in line with the true value of the data themselves, including identifying and assessing the value of the data they hold and realigning their security strategies so that secrets and intellectual property are adequately protected.
-http://darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=2242
01369&subSection=Vulnerabilities+and+threats
-http://www.rsa.com/go/press/RSATheSecurityDivisionofEMCNewsRelease_4510.html
The full paper is available at
-http://download.microsoft.com/download/F/2/3/F2398E9C-94FE-496C-BFB2-9DEFE1502AB
D/Forrester%20TLP%20-%20The%20Value%20of%20Corporate%20Secrets.pdf
[Editor's Note (Schultz): Although I very much appreciate the Forrester Group and the work it does, I fear that in this particular instance it has spent a lot of time and effort telling us what we already know. We know what to do, but organizations are simply not doing what they have to do to secure their information assets better. ]

Mozilla Updates Firefox Again (April 1 & 5, 2010)

Mozilla has released an update for Firefox to address a critical memory corruption flaw that could be exploited to execute remotely injected code. Firefox users are urged to upgrade to version 3.6.3 if they have not already done so; users who are already running Firefox 3.6 should already have received automated update notifications. Mozilla just released Firefox 3.6.2 at the end of March. Mozilla also says it plans to fix an information leak that has affected major browsers for more than 10 years. That problem lies in the cascading style sheets history attack and causes visited links to be displayed in purple instead of blue. Previous suggested solutions to the problem interfered with the browsers' functionality, but Mozilla developers say they have arrived at a solution that will not compromise browser performance.
-http://www.h-online.com/security/news/item/Firefox-3-6-3-closes-a-critical-hole-
969805.html
-http://www.theregister.co.uk/2010/04/05/firefox_browsing_history_fix/
-https://developer.mozilla.org/devnews/index.php/2010/04/01/firefox-3-6-3-securit
y-update-now-available/
-http://www.mozilla.org/security/announce/2010/mfsa2010-25.html
-http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/

Attempted Cyber Intrusion at Texas Electricity Provider (April 3, 2010)

A Texas news outlet has reported that one of the state's largest electricity providers was the target of an attempted cyber attack. A confidential email from the Electricity Reliability Council of Texas obtained by Local 2 Investigates said that an IP address in China was used 4,800 times to attempt to log in to the computer system of the Lower Colorado River Authority (LCRA). The attacker was unsuccessful. The LCRA provides electricity to more than one million Texas residents in rural areas. Neither the LCRA nor the FBI would comment about the reported incident.
-http://www.click2houston.com/news/23046216/detail.html

Cyberwar Rhetoric Starting to Chafe (March 31 & April 2 & 4, 2010)

US Senators Olympia Snowe (R-Maine) and Jay Rockefeller (D-W. Va), co-authors of the Cybersecurity Act, wrote in an op-ed column in the Wall Street Journal this weekend that the country needs to prepare for cyber war. They warned of attacks that could "disrupt or disable vital information networks" and "cause catastrophic economic loss and social havoc." However, in March, White House Cybersecurity Coordinator Howard Schmidt told Wired magazine that "there is no cyberwar," and there is a growing and increasingly vocal group of cyber security experts that thinks the cyber war rhetoric is overblown.
-http://www.computerworld.com/s/article/9174682/Senators_ramp_up_cyberwar_rhetori
c_?source=CTWNLE_nlt_pm_2010-04-02
-http://walt.foreignpolicy.com/posts/2010/03/30/is_the_cyber_threat_overblown
-http://www.federaltimes.com/article/20100404/ADOP05/4040301/
[Editor's Note (Paller): This argument is silly. Billions are being spent on cyber espionage. The United States and its allies are not faring very well in this timeless competition through which nations prepare to win - or at least avoid - future wars.
(Weatherford): In his 1994 book, "Agendas, Alternatives, and Public Policies", John Kingdon characterized the term, "Policy Window" where he described the process by which policy issues achieve sufficient momentum to gain traction on the government agenda. The Policy Window concept makes me think of the 'perfect storm' metaphor because it's all about timing. A little too early or a little too late and you've missed the window of opportunity. There have been so many fits and starts in addressing cybersecurity issues that I'm starting to wonder if the nation has already missed the "Policy Window?"
(Schultz): I am no particular fan of cyberwar and information warfare jargon. At the same time, however, it is clear that the U.S. is losing the battle in these arenas, and has been doing so for years. The sooner the U.S. government wakes up to this fact, the sooner it will do better in defending its systems and information from attackers. ]

DOE Seeking Applicants for National Electric Sector Cyber Security Organization Grant (April 1 & 2, 2010)

The US Department of Energy (DOE) plans to award a US $10 million grant to establish an authority to protect the country's electric power grid. The National Electric Sector Cyber Security Organization will be charged with developing strategies to ensure the security of emerging technologies used in the energy industry, such as the smart grid. The organization would also be responsible for promoting information sharing about cyber attacks. Applicants have until April 30, 2010 to submit proposals.
-http://fcw.com/blogs/quick-study/2010/04/energy-grid-cybersecurity-grants.aspx
-http://www.networkworld.com/community/node/59586

DHS to Issue Conficker Report (April 1, 2010)

The US Department of Homeland Security (DHS) plans to release a report this month on worldwide efforts to stave off the spread of Conficker. The report will describe the creation and efforts of the Conficker Working Group, a coalition of researchers and Internet providers focused on addressing the malware. The group "was a very good example of the private sector, globally, working together to try to solve a cybersecurity attack;" the report aims to identify "what worked
[and ]
what didn't work" and to develop a model of cooperation that will enable effective responses in the future.
-http://www.networkworld.com/news/2010/040210-dhs-studying-global-response-to.htm
l?source=NWWNLE_nlt_security_2010-04-05

Oracle Releases Update for Java (April 1 & 2, 2010)

Oracle has released new versions of Java for Windows, Linux and Solaris systems. The update, Java 6 Update 19, incorporates 27 fixes for security issues in earlier versions of the software. The Java installer now removes older versions of the software, but it has not always done so. If users have older versions of Java running, they may find several versions of the software on their computers; these should be removed. Brian Krebs recommends that if you don't use Java, don't install it at all; if you need it later, you can install it at that time. The software is increasingly being targeted by malware. If you choose to install the update, read the windows carefully; Java will install several browser toolbars by default.
-http://www.krebsonsecurity.com/2010/04/java-patch-plugs-27-security-holes/#more-
2234
-http://www.pcmag.com/article2/0,2817,2362201,00.asp
-http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpum
ar2010.html
Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=8572

Australian Plan to Filter Internet Meets With Criticism (March 29, 2010)

US State Department officials have expressed concern over the Australian government's plan to deploy Internet filters. The practice runs counter to the US policy of encouraging open Internet access around the world. Google has voiced its opinion that the Australian plan could inhibit the free flow of information and is likely to be ineffective in preventing the spread of offensive Internet content.
-http://www.theaustralian.com.au/business/media/stephen-conroy-and-us-at-odds-on-
net-filter/story-e6frg996-1225846614780
[Editor's Note (Pescatore): No one complains about routine spam and anti-viral filtering of commercial web-email, and Google routinely interrupts access to malware-infested sites. The issue is not having some form of a blacklist; the issue with the Australian plan is the criteria used to add sites to the blacklist. What's needed is a transparent process, much like what has been done for rating content in movies. ]

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/